Endpoint Analytics: Locate devices not enrolled with Windows Hello for Business


As promised, another use-case and example of Proactive Remediations in the new Endpoint Analytics feature in Microsoft Endpoint Manager (Intune).

In this example, I’m locating all devices, which currently are not making use of Windows Hello for Business, and display its logged on user a Toast Notification to remind them to get started.

If and when any organization is promoting and requiring the use of Windows Hello for Business, you will want to make sure that the users indeed are setting this up – and if not, nag them continuously until done.

Proactive Remediations

To get this started, head into the Endpoint analytics space of Microsoft Endpoint Manager:

  • Browse to Proactive remediations
  • Click + Create script package

Detection Script

The detection script, is the one doing the magic in locating devices not using Windows Hello for Business.

The script is available from my GitHub page: https://github.com/imabdk/Powershell/blob/master/Detect-WindowsHelloEnrollment.ps1

The detection script is going into the Detection script area where it’s mandatory.

Remediation script

  • NOTE: It’s not a requirement to be using a Remediation script. If you don’t intend to display the users a toast notification, simply leaving the remediation script blank will work. In this case, you can use the feature for the audit and monitoring possibilities.

The remediation script is my entire Windows 10 Toast Notification Script found here: https://www.imab.dk/windows-10-toast-notification-script/

Proactive Remediations doesn’t support passing parameters to the script, so in order for the Toast Notification Script to work, you will have to hard code the path to the config.xml file.

NOTE: Again, the Toast Notification Script has been modified to now support config.xml files being hosted online. Here, I’m hosting a config.xml in blob storage in Azure:

[string]$Config = “https://krpublicfiles.blob.core.windows.net/toastnotification/config-toast-whfb.xml”


Assignments is the last part of setting this up, as well as deciding how often the script will run.

I have a collection in Configuration Manager which is being synced to Microsoft Intune, and I’m running this every hour.

In Action

When everything is properly setup, you will see that the detection script finds devices which is not enrolled in Windows Hello for Business.

On those devices, a Toast Notification is displayed, similar to those toast examples in the beginning of this post.

Taking a closer look on IntuneManagementExtension.log (C:\ProgramData\Microsoft\IntuneManagementExtension\Logs) you will also notice the reason for the Toast Notification to be displayed:

[HS] lastLine of output = [Multiple SIDs]: Not good. PIN credential provider NOT found for LoggedOnUserSID. This indicates that the user is not enrolled into WHfB.

As well as when the Remeditation script is run, the Toast Notification Script writes an output when successfully displayed:

[HS] lastLine of output = All good. Toast notification was displayed


Whether you use this just for the monitoring possibilities, the device status page is quite clear about where to act.

In my example below, all the devices tagged as ‘With Issues’ are having a Toast Notification displayed, telling the logged on user to get going or face consequences.


8 thoughts on “Endpoint Analytics: Locate devices not enrolled with Windows Hello for Business”

  1. Hi Martin,
    Thanks for sharing. I am basically looking for a Windows Hello for Business Reporting Tool or PowerShell Script to check the what machines in a domain or in on a specific OU is fully enrolled and those without WHFB.
    Without able to report progress is a project execution in the dark and that makes it hard for large enterprise rollout without reporting feature.
    I am not

  2. Sorry meant to say i am not an endpoint or config manager guy.
    So basically a script that will run against multiple computers for devices that are not enrolled with WHFB and write the output file to cvs.

    • Hey, I don’t have such exact script, but what I’m doing would be easy to modify and have an output to .csv. I assume you have some sort of way to run scripts on your endpoints? 🙂

      • Hey, the problem is am finding it difficult to modify and make it to work natively. Need help if you can. Just need to run the simple script from an elevated PS to check the WHFB registry to match with the login user then export output to csv for the compliance, non-compliance or offline PCs.

  3. Trying to do similar for prompting a reboot after machines exceed a particular interval. The XML file is web hosted as well are the images. The toast notifications are appearing correctly but the “Restart now” button doesn’t do anything. Any idea what I am missing?


Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.